lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 8 Aug 2012 13:28:40 -0400
From: Jason Hellenthal <jhellenthal@...aix.net>
To: Bogdan Calin <bogdan@...netix.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: htaccess files should not be used for
 security restrictions


Thank you for the article.

All-in-all I find it to be more centric to the design of the software or
beit in this case PHP apps and not as the subject suggests ".htaccess"
files.

There are way too many "get-ritch-quick" upcoming PHP scripters out
there that are not aware or even nearly knowledgeable about the
configuration of one webserver more or less the multiple main stream
systems that are out there. Not to mention the drop-in web services that
require nearly no knowledge of what your doing that are unmanaged.

But all that set aside, and no matter what the deployed application is,
it is worthwhile to make an attempt to educate them on the possible
drawbacks of not performing certain tasks after installation.

Too bad there is no "Sensitive Information Section" in readme files and
other documentation that lists files a user/admin needs to make a
judgement on.


Anyway... informative article and thank you again.


On Wed, Aug 08, 2012 at 04:59:56PM +0300, Bogdan Calin wrote:
> Hi guys,
> 
> I wrote a blog post about security issues related with htaccess files.
> http://www.acunetix.com/blog/web-security-zone/articles/htaccess-security/
> 
> -- 
> Bogdan Calin - bogdan [at] acunetix.com
> CTO
> Acunetix Ltd. - http://www.acunetix.com
> Acunetix Web Security Blog - http://www.acunetix.com/blog
> Follow us on Twitter - http://www.twitter.com/acunetix
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 

 - (2^(N-1)) JJH48-ARIN

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ